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Abstract 

In  [15]  ,  we  give  a  type  system  that  guarantees  that 
well-typed,  multi-threaded  programs  are  possibilistically 
noninterfering.  If  thread  scheduling  is  probabilistic, 
however,  then  well-typed  programs  may  have  probabilis¬ 
tic  timing  channels.  We  describe  how  they  can  be  elim¬ 
inated  without  making  the  type  system  more  restrictive. 
We  show  that  well-typed  concurrent  programs  are  prob¬ 
abilistically  noninterfering  if  every  total  command  with 
a  high  guard  executes  atomically.  The  proof  uses  the 
concept  of  a  probabilistic  state  of  a  computation,  fol¬ 
lowing  the  work  of  Kozen  [10]. 1 


1.  Introduction 

This  work  is  motivated  by  applications  of  mobile 
code  where  programs  are  downloaded,  as  needed,  and 
executed  on  a  trusted  host  (examples  include  web 
browsers  and  e-commerce  applications  for  smartcards 
and  set-top  boxes).  Here  a  host  may  have  sensitive 
data  that  downloaded  code  may  need,  and  we  want  as¬ 
surance  that  they  are  not  leaked  by  the  code.  In  some 
cases,  the  best  approach  may  simply  be  to  forbid  any 
access  to  the  sensitive  data,  using  some  access  control 
mechanism.  But  often  the  code  will  legitimately  need 
to  access  the  data  in  order  to  function.  In  this  case,  we 
need  to  ensure  that  it  is  not  leaked  by  the  code. 

Specifically,  this  paper  is  concerned  with  identify¬ 
ing  conditions  under  which  concurrent  programs  can 

'This  is  a  corrected  version  of  the  paper  that  appeared  in  the 
Proceedings  of  the  11th  IEEE  Computer  Security  Foundations 
Workshop,  Rockport,  MA,  9-11  June  1998,  pages  34-43. 

1This  material  is  based  upon  activities  supported  by  DARPA 
and  by  the  National  Science  Foundation  under  Agreement  Nos. 
CCR-9612176  and  CCR-9612345. 


Geoffrey  Smith 
School  of  Computer  Science 
Florida  International  University 
Miami,  FL  33199,  USA 

smithg@cs . fiu.edu 


be  proved  free  of  probabilistic  timing  channels.  Previ¬ 
ous  work  has  centered  around  developing  a  type  system 
for  which  one  can  prove  that  well-typed  multi-threaded 
programs  have  a  possibilistic  noninterference  property 
[15].  The  proof  relies  on  a  purely  nondeterministic 
thread-scheduling  semantics.  But  although  the  prop¬ 
erty  rules  out  certainty  in  deducing  private  data,  its 
practical  utility  is  somewhat  questionable.  The  trou¬ 
ble  is  that  thread  scheduling  is  usually  probabilistic  in 
real  implementations,  and  in  this  case  it  is  easy  to  con¬ 
struct  well-typed  programs  with  probabilistic  timing 
channels.  Here  we  show  how  to  rule  out  such  channels 
without  making  the  type  system  more  restrictive. 

1.1.  The  basic  idea 

Consider  a  simple  imperative  language  with  threads 
where  each  thread  is  a  sequence  of  commands  and 
threads  are  scheduled  nondeterministically.  A  thread 
may  access  a  shared  memory  through  variables  which 
are  classified  as  low  (public),  or  high  (private).  We 
want  to  ensure  that  concurrent  programs  cannot  copy 
the  contents  of  high  variables  to  low  variables. 

Now  suppose  x  is  a  high  variable  whose  value  is  ei¬ 
ther  0  or  1,  y  is  a  low  variable  and  c  is  some  command 
that  takes  many  steps  to  complete.  Then  consider  the 
following  program: 

•  Thread  a: 

if  x  =  1  then  (c ; c)  ; 

y  :=  1 

•  Thread  6: 

c ; 

y  :=  0 

The  program  is  well  typed  in  the  secure  flow  system  of 
[15],  so  it  satisfies  a  possibilistic  noninterference  prop- 
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erty.  Changing  the  initial  value  of  x  does  not  change 
the  set  of  possible  final  values  for  y. 

But  suppose  the  two  threads  are  scheduled  by  flip¬ 
ping  a  coin.  Then  the  threads  run  at  roughly  the  same 
rate  and  the  value  of  x  ends  up  being  copied  into  y  with 
high  probability.  So  there  is  probabilistic  interference 
when  thread  scheduling  obeys  a  probability  distribu¬ 
tion,  even  when  the  program  is  well  typed.  A  change 
in  the  initial  value  of  x  changes  the  probability  distri¬ 
bution  of  final  values  of  y. 

One  obvious  way  to  treat  the  program  is  through  the 
type  system.  We  might  adopt  the  severe  restriction 
that  guards  of  conditionals  be  low.  In  this  case,  the 
example  is  rejected  because  it  is  no  longer  well  typed. 
Another  approach  is  to  require  that  the  conditional  be 
executed  asynchronously  [8] .  But  there  are  cases  where 
you  want  a  conditional  to  execute  synchronously. 

Another  strategy  is  to  extend  the  language  in  some 
way  that  allows  one  to  use  high  guards  in  condition¬ 
als,  provided  a  certain  (machine-checkable)  condition 
is  satisfied.  This  is  the  approach  we  take.  In  fact,  the 
condition  we  impose  is  very  simple.  We  require  that 
conditionals  with  high  guards  be  executed  atomically. 
This  is  accomplished  by  wrapping  the  conditional  with 
a  new  command,  called  protect  [14],  that  guarantees 
the  conditional  will  be  executed  atomically  in  a  multi¬ 
threaded  environment.  We  will  show  that  such  well- 
typed  programs  satisfy  a  probabilistic  noninterference 
property,  which  says  that  the  probability  distribution 
of  the  final  values  of  low  variables  is  independent  of  the 
initial  values  of  high  variables.  In  general,  the  property 
requires  that  any  total  command  with  a  high  guard 
must  be  protected.  These  commands  include  primitive 
recursion  and  other  forms  of  guarded  statements  found 
in  programming  languages. 


2.  Syntax  and  semantics 


Threads  are  expressed  in  a  simple  imperative  lan¬ 
guage: 


( phrases )  p 

( expressions )  e 

( commands )  c 


e  |  c 

x  |  n  |  ei  +  e-2  \ 
i  i  —  eo  |  e\  =  e2 

x  :=  e  |  ci;  c2  | 
if  e  then  c\  else  Co  | 
while  e  do  c  | 
protect  c 


Metavariable  x  ranges  over  identifiers  and  n  over  in¬ 
teger  literals.  Integers  are  the  only  values;  we  use  0 
for  false  and  nonzero  for  true.  Note  that  expressions 


do  not  have  side  effects,  nor  do  they  contain  partial 
operations  like  division. 

We  define  a  small-step  transition  semantics  for  indi¬ 
vidual  threads  in  Figure  1.  We  assume  that  expressions 
are  evaluated  atomically.2  Thus  we  simply  extend  a 
memory  p  in  the  obvious  way  to  map  expressions  to 
integers,  writing  p(e)  to  denote  the  value  of  expression 
e  in  memory  p.  These  rules  define  a  transition  relation 
on  configurations.  A  configuration  is  either  a  pair 
(c,  p)  or  simply  a  memory  p.  In  the  first  case,  c  is  the 
command  yet  to  be  executed;  in  the  second  case,  the 
command  has  terminated,  yielding  final  memory  p. 

At  most  one  thread  can  be  in  a  protected  section  at 
any  time.  We  capture  this  property  by  appealing  to 
a  standard  natural  semantics  for  commands  in  the  hy¬ 
pothesis  of  rule  atomicity,  written  here  as  p  h  c  =3-  p! . 
The  hypothesis  means  that  command  c  evaluates  com¬ 
pletely  to  a  memory  p!  from  a  memory  p.  This  is  the 
trick  for  expressing  the  atomicity  of  command  execu¬ 
tion  that  allows  for  a  simple  noninterference  proof.  Our 
natural  semantics  is  standard  and  is  described  in  [17]. 
Further,  we  assume  that  protected  sections  are  not 
nested.  This  is  a  reasonable  assumption  since  protected 
sections  are  transparent  in  a  sequential  language,  which 
is  what  the  natural  semantics  treats.  Thus  we  avoid 
having  to  introduce  a  rule  for  protect  into  the  natural 
semantics.  Finally,  we  assume  that  no  while  command 
occurs  in  a  protected  section.  The  reason  for  this  is  to 
simplify  our  probabilistic  semantics.  With  protect, 
execution  of  a  thread  may  block: 

protect  while  true  do  skip 

One  needs  to  compute  the  probability  of  a  thread  be¬ 
ing  selected  from  among  the  unblocked  threads  only. 
By  prohibiting  the  potential  for  nontermination  in  a 
protected  section,  we  are  guaranteed  that  all  threads 
in  a  thread  pool  are  unblocked  in  that  each  can  make  a 
transition  under  — Thus,  the  probability  of  a  thread 
being  selected  from  a  thread  pool  O  can  be  determined 
simply  from  the  size  of  the  pool  (|0|). 

As  in  [15],  we  take  a  concurrent  program  to  be  a 
set  O  of  commands  that  run  concurrently.  The  set  O 
is  called  the  thread  pool  and  it  does  not  grow  during 
execution.  We  represent  O  as  a  mapping  from  thread 
identifiers  (a,  j3,  . . . )  to  commands.  In  addition,  there 
is  a  single  global  memory  p ,  shared  by  all  threads, 
that  maps  identifiers  to  integers.  Threads  communi¬ 
cate  via  the  shared  memory.  We  call  a  pair  ( 0,p ), 
a  global  configuration.  Execution  of  a  concurrent  pro¬ 
gram  takes  place  under  a  fixed  probability  distribution 

2The  noninterference  property  we  prove  does  not  depend  on 
atomicity  here  unless  the  time  it  takes  to  evaluate  an  expression 
depends  on  the  values  of  high  variables. 
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(update) 


x  G  dom(/j) 

( x  ■=  e,//)-4//[x  :=  //(e)] 


(sequence)  (ci,//)-^->//' 

(<y,-C2.ll)  "‘>((■■2:11') 

{a,  (i)-U  {€[,(!') 

(ci  ;c2,//)-4(ci;c2,//') 

(branch)  //(e)  nonzero 

(if  e  then  ci  else  f'2:/')  > (/•) .  // ) 

j»(e)  =  0 _ 

(if  e  then  ci  else  r:-j.  //) — >(r:-j .  /i) 

(loop)  //(e)  =  0 

(while  e  do  e, //)^A// 

fi(e)  nonzero 

(while  e  do  c,  //)— ^(c;  while  e  do  e.  // 1 

(atomicity)  //  -  r  =>  //' 

(protect  c, //)— ^-t//' 

(GLOBAL)  0(a)  =  c 

(c,//)-4//' 

p  =  V|Q| _ 

(0,p)-^p(0  -  a,//') 

0(a)  =  c 
(c,//)^(c\//') 

p  =  i/|Q| _ 

(0,//)-%(0[a  :=  o'], ///) 

Figure  1.  Sequential  and  concurrent  transition  semantics 
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for  the  scheduling  of  threads;  our  semantics  prescribes 
a  uniform  distribution  for  simplicity.  The  execution  is 
defined  by  rule  global,  which  lets  us  prove  judgments 
of  the  form 

(0,p,)^4p(0V). 

This  asserts  that  the  probability  of  going  from  (O.p) 
to  (O' ,  p')  is  p.  The  first  two  global  rules  in  Figure  1 
specify  the  global  transitions  that  can  be  made  by  a 
thread  pool.  The  third  global  rule  is  introduced  to 
accommodate  our  notion  of  a  probabilistic  state.  As 
we  shall  see,  it  ensures  that  probabilities  of  a  state 
sum  to  1.  With  these  global  rules,  we  can  represent  a 
concurrent  program  as  a  discrete  Markov  chain  [3] .  The 
states  of  the  Markov  chain  are  global  configurations 
and  the  stochastic  matrix  is  determined  by 

3.  The  type  system 

Here  are  the  types  used  by  our  type  system: 

(data  types)  t  ::=  L  \  H 

( phrase  types )  p  ::=  r  |  r  var  |  r  cmd 

For  simplicity,  we  limit  the  security  classes  here  to  just 
L  and  H ;  it  is  possible  to  generalize  to  an  arbitrary 
partial  order  of  security  classes. 

The  type  system  is  the  system  of  [15],  extended  with 
a  rule  for  protect.  Its  rules  are  given  in  Figure  2.  The 
rules  allow  us  to  prove  typing  judgments  of  the  form 
7  b  p  :  p  as  well  as  subtyping  judgments  of  the  form 
pi  C  p-2.  Here  7  denotes  an  identifier  typing ,  which  is 
a  finite  function  from  identifiers  to  phrase  types.  Note 
that  guards  of  conditionals  may  be  high. 

If  7  b  e  :  p  for  some  p,  then  we  say  that  c  is  well 
typed  under  7.  Also,  if  0(a)  is  well  typed  under  7  for 
every  a  G  dom(O),  then  we  say  that  O  is  well  typed 
under  7. 

4.  Probabilistic  states 

Loosely  speaking,  our  formulation  of  probabilistic 
noninterference  is  a  sort  of  probabilistic  lock  step  exe¬ 
cution  statement.  Under  two  memories  that  may  differ 
on  high  variables,  we  want  to  know  that  the  probability 
that  a  concurrent  program  can  reach  some  global  con¬ 
figuration  under  one  of  the  memories  is  the  same  as  the 
probability  that  it  reaches  an  equivalent  configuration 
under  the  other. 

A  concurrent  program  is  represented  as  a  discrete 
Markov  chain  [3] ,  the  states  of  which  are  global  config¬ 
urations  (0,p).  The  stochastic  matrix  T  of  the  Markov 


chain  is  determined  by  the  relation  — For  example, 
consider  the  following  program: 

O  =  {a  \  =  while  l  =  0  do  skip,  3  :=  (l  :=  1)} 

The  program  can  get  into  at  most  five  different  config¬ 
urations,  and  so  its  Markov  chain  has  five  states,  given 
in  Figure  3.  The  stochastic  matrix  T  for  this  Markov 
chain  is  given  in  Figure  4.  The  probability  of  a  transi- 
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Figure  4.  Stochastic  matrix 


tion  from  state  1,  for  instance,  to  state  2  is  1/2  because 
p  =  1/2  in  the  hypothesis  of  the  first  global  rule,  the 
rule  that  allows  this  transition  to  occur. 

The  set  of  Markov  states  may  be  countably  infinite 
(a  simple  example  is  a  nonterminating  loop  that  in¬ 
crements  a  variable).  In  this  case,  the  stochastic  ma¬ 
trix  is  also  countably  infinite.  In  general,  if  T  is  a 
stochastic  matrix  and  T((0,p),  (O' ,p'))  >  0,  for  some 
global  configurations  (0,p)  and  (O'  ,p'),  then  either  O 
is  nonempty  and  T((0,  p),(0' ,p'))  =  1/|0|,  or  O  and 
O'  are  empty,  p  =  p! ,  and  T((0,p),  (O' ,  p'))  =  1. 

Kozen  uses  measures  to  capture  the  distributions  of 
values  of  variables  in  probabilistic  programs  [10].  Our 
strategy  is  similar.  Using  the  Markov  chain,  we  can 
model  the  execution  of  a  concurrent  program  deter¬ 
ministically  as  a  sequence  of  probabilistic  states. 

Definition  4.1  A  probabilistic  state  is  a  probability 
measure  on  the  set  of  global  configurations. 

A  probabilistic  state  can  be  represented  as  a  row 
vector,  whose  components  must  sum  to  1.  So  if  T  is  a 
stochastic  matrix  and  s  is  a  probabilistic  state,  then 
the  next  probabilistic  state  in  the  sequence  of  such 
states  modeling  a  concurrent  computation  is  simply 
the  vector-matrix  product  sT.  For  instance,  the  initial 
probabilistic  state  for  the  program  O  in  our  preceding 
example,  with  five  states,  is  (1  0  0  0  0).  It  indicates 
that  the  Markov  chain  begins  in  state  1  with  certainty. 
The  next  state  is  given  by  taking  the  product  of  this 
state  with  the  stochastic  matrix  of  Figure  4,  giving 
(0  1/2  1/2  0  0).  This  state  indicates  the  Markov 
chain  can  be  in  states  2  and  3,  each  with  a  probability 
of  1  /2.  Multiplying  this  vector  by  T,  we  get  the  third 
probabilistic  state,  (1/4  0  0  1/4  1/2);  we  can  de¬ 
termine  the  complete  execution  in  this  way.  The  first 
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(ident) 


7(-g)  =  P 
7  b  x  :  p 

7  h  n  :  t 


(int) 

(r-VAl)  7  h  e  :  t  var 

7  h  e  :  t 

(sum)  7  b  e\  :  r,  7  b  eo  :  r 

7  b  ei  +  e2  :  r 

(assign)  7  b  x  :  t  var,  7  h  e  :  r 

7  b  x  :=  e  :  r  cmd 

(compose)  7  h  Cj.  :  t  cmd,  7  h  co  :  r  cmd, 

7  h  Cj;  Co  :  r  cmd 

(if)  7  h  e  :  r,  7  h  7  :  r  cmd,  7  b  Co  :  r  cmd 

7  b  if  e  then  Ci  else  Co  :  r  cmd 

(while)  7  b  e  :  L,  7b  c:  t  cmd 

7  b  while  e  do  c  :  L  cmd 

(protect)  7  b  c  :  r  cmd 

7  b  protect  c  :  r  cmd 

(base)  L  C  H 

(reflex)  p  C  p 

(CMD-)  Tl  C  To 

to  cmd  C  ti  cmd 

(subtype)  7  b  p  :  pi ,  pi  C  p-2 
7  b  p  :  P2 


Figure  2.  Typing  and  subtyping  rules 


1)  ({a  :=  while  l  =  0  do  skip,  (3  :=  (l  :=  1)},  [/  :=  0]) 

2)  ({a  :=  while  l  =  0  do  skip},  [l  :=  1]) 

3)  ({a  :=  skip;  while  l  =  0  do  skip,  /3  :=  (l  :=  1)},  [l  :=  0]) 

4)  {{a  :=  skip;  while  l  =  0  do  skip},  [l  :=  1]) 

5)  ({  },  [*  “  1]) 


Figure  3.  States  of  Markov  chain 
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{({a  :=  while  l  =  0  do  skip ,  j3  :=  (l  :  =  1)},  [l  :=  0])  :  1} 

4 

({a  :=  while  l  =  0  do  skip},  [l  :=  1])  :  1/2, 

({a  :=  skip;  while  l  =  0  do  skip,  (3  :=  (l  :=  1) } ,  [Z  :=  0])  :  1/2 

4 

({},[/:=  1])  :  1/2, 

({a  :=  while  l  =  0  do  skip,  (3  :=  (l  :  =  1)},  [I  :=  0])  :  1/4, 
({a  :=  skip]  while  l  =  0  do  skip},  :=  1])  :  1/4 

4 

({  },[/  :=  l]j  :  1/2, 

({a  :=  skip]  while  l  =  0  do  skip,  i3  :=  (l  :=  1) } ,  [Z  :=  0])  :  1/8, 
({a  :=  while  l  =  0  do  skip},  [l  :=  1])  :  3/8 

4 

({},[/:=  1])  :  7/8, 

({a  :=  while  l  =  0  do  skip,  / 3  :=  (l  :  =  1)},  [4  :=  0])  :  1/16, 
({a  :=  skip :  while  l  =  0  do  skip},  [I  :=  1])  :  1/16 


Figure  5.  A  probabilistic  state  sequence 


five  probabilistic  states  in  the  sequence  are  depicted  in 
Figure  5.  The  fifth  state,  for  instance,  tells  us  that  the 
probability  that  O  terminates  under  memory  [/  :=  0] 
in  at  most  four  steps  is  7/8. 

Thread  pool  O  is  an  example  of  a  concurrent  pro¬ 
gram  that  is  probabilistically  total  since  it  halts  with 
probability  1,  but  is  not  nondeterministically  total  for 
it  has  an  infinite  computation  path. 

Note  that  although  there  may  be  infinitely  many 
states  in  the  Markov  chains  corresponding  to  our  pro¬ 
grams,  the  probabilistic  states  that  arise  in  our  pro¬ 
gram  executions  will  only  assign  nonzero  probability 
to  finitely  many  of  them.  This  is  because  we  begin 
execution  in  a  single  global  configuration  ( 0,/i. ),  and 
we  only  branch  by  at  most  a  factor  of  k  at  each  step, 
where  k  is  the  number  of  threads  in  O.  If  we  were 
to  extend  our  language  with  a  random  number  gener¬ 
ator  that  returns  an  arbitrary  integer  with  respect  to 
some  probability  distribution,  then  we  would  have  to 
consider  probabilistic  states  which  give  nonzero  prob¬ 
abilities  to  an  infinite  number  of  global  configurations. 

With  probabilistic  states,  we  can  now  see  how  prob¬ 
ability  distributions  can  be  sensitive  to  initial  values  of 
high  variables,  even  for  programs  that  have  types  in 
the  system  of  Figure  2.  Consider  the  example  in  the 
introduction  where  c  is  instantiated  to  skip: 

n  —  I  a:=  x  =  1  then  skip]  skip)]  y  :=  1,  1 
~  l  /?  :=  (skip]  y  :  =  0)  J 

Each  thread  is  well  typed,  assuming  skip  has  type 
H  cmd.  We  give  two  sequences  of  state  transitions. 
One  begins  with  x  equal  to  0  (Figure  6)  and  the  other 


with  x  equal  to  1  (Figure  7).  Notice  the  change  in  dis¬ 
tribution  for  the  final  values  of  y  when  the  initial  value 
of  the  high  variable  x  changes.  For  instance,  the  proba¬ 
bility  that  y  has  final  value  1  when  x  equals  1  is  13/16, 
and  falls  to  1/2  when  x  equals  0.  What  is  going  on 
here  is  that  the  initial  value  of  x  affects  the  amount  of 
time  required  to  execute  the  conditional;  this  in  turn 
affects  the  likely  order  in  which  the  two  assignments 
to  y  are  executed.  Now  suppose  that  we  protect  the 
conditional  in  this  example.  Then  the  conditional  (in 
effect)  executes  in  one  step,  regardless  of  the  value  of 
x,  and  so  the  sequence  of  transitions  for  x  =  0  is  equiv¬ 
alent,  state  by  state,  to  the  sequence  of  transitions  for 
x  =  1  (Figures  8  and  9). 

5.  Probabilistic  noninterference 

Now  we  are  ready  to  prove  our  main  result.  We 
begin  with  two  lemmas  which  are  proved  in  [17]: 

Lemma  5.1  (Simple  Security)  If  7  b  e  :  L,  then 
j(x)  =  L  for  every  identifier  x  in  e. 

Lemma  5.2  (Confinement)  If  7  b  e  :  H  cmd,  then 
j(x)  =  H  var  for  every  identifier  x  assigned  to  in  c. 

Definition  5.1  (Protected)  A  command  is  pro¬ 
tected  if  every  conditional  in  the  command  with  a  guard 
of  type  H  falls  within  the  scope  of  a  protect. 

Definition  5.2  Given  an  identifier  typing  7,  we  say 
that  memories  p,  and  v  are  equivalent,  written  p~7v, 
if  p,  v ,  and  7  have  the  same  domain  and  p  and  v  agree 
on  all  L  identifiers. 


{({a  :=  (if  x  =  1  then  skip ;  skip);  y  :  =  1,  0  :=  (skip;  y  :  =  0)},  [x  :=  0 ,y  :=  0])  :  1} 

({a  :=  (if  x  =  1  then  skip;  skip);  y  :=  1,  0  :=  y  :=  0},  [x  :=  0 ,y  :=  0])  :  1/2,  ^ 
({a:=y:=l,  j3  :=  (skip;  y  :=  0)},  [x  :=  0,y  :=  0])  :  1/2 

I 

({a;  :=  (if  x  =  1  then  skip;  skip);  y  :=  1},  [x  :=  0 ,y  :=  0])  :  1/4, 
({a:=y:=  1,  0  :=  y  :=  0},  [x  :=  0,  y  :=  0])  :  1/2, 

({/?  :=  (skip;  y  :=  0)},[x  :=  0,y  :=  1])  :  1/4 

4- 

({a  :=  y  :=  1},  [x  :=  0,  y  :=  0])  :  1/2,  1 

({0  ■=  V  ■=  0},[.t  :=  0,y  :=  lj)  :  1/2  J 

I 

f  ({},[x:=0,y:=l])  :  1/2,  1 
\  ({  },  [;c  :=  0,  y  :=  0])  :  1/2  / 


Figure  6.  Probabilistic  state  sequence  when  x  =  0 


{({a  :=  (if  x  =  1  then  skip;  skip);  y  :=  1,  0  :=  (skip;  y  :=  0)},  [x  :=  1,  y  :=  0])  :  1} 

I 

J  ({a  :=  (if  x  =  1  then  skip :  skip);  y  :=  1,  0  :=  y  :=  0},  [x  :=  1  ,y  :=  0])  :  1/2, 

\  ({a  :=  (skip;  skip);y  :=  1,  0  :=  (skip;  y  :=  0)},  [x  :=  1,  y  :=  0])  :  1/2 

I 

({a  :=  (if  x  =  1  then  skip;  skip);  y  :=  1},  [x  :=  1  ,y  :=  0])  :  1/4, 

({a  :=  (skip; skip);  y  :=  1,  0  :=  y  :=  0},[x  :=  1  ,y  :=  0])  :  1/2, 

({a  :=  skip ;  y  :=  1,  0  :=  (skip;  y  :=  0)},  [x  :=  1  ,  y  :=  0])  :  1/4 

I 

({a  :=  (skip;  skip);  y  :=  1},  [x  :=  1  ,  y  :=  0])  :  1/2, 

({a  :=  skip;y  :=  1,  0  :=  y  :=  0},[x  :=  1  ,y  :=  0])  :  3/8, 

({a  :=  y  :=  1,  0  :=  (skip;  y  :=  0)},  [x  :=  1  ,y  :=  0])  :  1/8 

i 

({a  :=  skip ;  y  :=  1},  [x  :=  1  ,y  :=  0])  :  11/16, 

({a:=y:=l,  0  :=  y  :=  0},  [x  :=  1,  y  :=  0])  :  1/4, 

({0  :=  (skip;  y  :=  0)},  [x  :=  1  ,  y  :=  1])  :  1/16 

4- 

r  ({a  :=  y  ■-  1},  [x  :=  1  ,y  :=  0])  :  13/16, 

1  ({0  ■=  V  ■=  0}.  [x  :=  1,  2/  :=  lj)  :  3/16 

4- 

f  ({  ) •  [*  :=  1  ,y  ■=  1])  :  13/16, 

1  ({  )•  [*  :=  1  ,y  ■=  0j)  :  3/16 


Figure  7.  Probabilistic  state  sequence  when  x  =  1 
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{({a  :=  (protect  if  x  =  1  then  skip;  skip);  y  :=  1,  3  :=  (skip;  y  :=  0)},  [x  :=  0 ,y  :=  0])  :  1} 

I 

J  ({a  :=  (protect  if  x  =  1  then  skip;  skip);  y  :  =  1,  3  '■=  V  '■=  0},  [x  :  =  0 ,y  :=  0])  :  1/2,  1 

1  ({a:=y:=l,  3  ■=  (skip;  y  :=  0)},  [x  :=  0,  y  :=  0])  :  1/2  J 

I 

({a  :=  (protect  if  x  =  1  then  skip;  skip);  y  :=  1},  [x  :=  0 ,y  :  =  0])  :  1/4, 

({a  :=  V  ■=  1,  3  ■=  V  ■=  0},  [x  :=  0,  y  :=  0])  :  1/2, 

({3  :=  (skip;  y  :=  0)},[.r  :=  0 ,y  :=  1])  :  1/4 

4- 

r  ({a  :=  y  ■=  1},  [x  ■=  o,  y  :=  0])  :  1/2,  1 

1  ({/3  :=  V  ■=  0),  [x  :=  0 ,y  :=  lj)  :  1/2  J 

I 

f  ({  },  [x  '■=  0,  y  :=  1])  :  1/2,  1 
\  ({},[.r:=0,  y.=  0})  :  1/2  / 


Figure  8.  Probabilistic  state  sequence  when  x  =  0 


{({a  :=  (protect  if  x  =  1  then  skip;  skip);  y  :=  1,  0  '■=  (skip;  y  :=  0)},  [x  :=  1,  y  :=  0])  :  1} 

i 

j  ({a  :=  (protect  if  x  =  1  then  skip;  skip);  y  :=  1,  3  '■=  !)  '■=  0},  [x  :=  1  ,y  :=  0])  :  1/2,  1 
1  ({a  :=  y  :=  1,  3  ■=  (skip;  y  :=  0)},[;c  :=  1  ,y  :=  0])  :  1/2  J 

I 

{({a  :=  (protect  if  x  =  1  then  skip;  skip);  y  :=  1},  [x  :=  1  ,y  :=  0])  :  1/4,  'l 
({a  :=  y  ■-  1,  3  ■=  y  ■-  0},  [x  :=  1,  y  :=  0])  :  1/2,  i 

({3  :=  (skip;  y  :=  0)},[;c  :=  1  ,y  :=  1])  :  1/4  J 


r  ({a  :=  y  :=  1),  [x  :=  1,  y  :=  0])  :  1/2,  1 

1  ({3  '■=  y  ■=  0},  [x  :=  1  ,y  :=  lj)  :  1/2  J 

i 

(  ({},[*:=  1,^=1])  :  1/2,  \ 

\  ({},[x:=l,y:=0])  :  1/2  / 


Figure  9.  Probabilistic  state  sequence  when  x  =  1 


We  now  show  that  if  we  execute  a  well-typed,  pro¬ 
tected  command  c  in  two  equivalent  memories,  the  two 
executions  proceed  in  lock  step: 

Lemma  5.3  (Lock  Step  Execution)  Suppose  c  is 
well  typed  under  7  and  protected,  and  that  p.~7i/. 
If  (c,p)-^(d,p'),  then  there  exists  v'  such  that 
(c,j/)—>(d,v')  and  p/~7i/.  And  if  (c, //,)—>  p,' ,  then 
there  exists  v'  such  that  (c,  and  /i'~7i/. 

Proof.  By  induction  on  the  structure  of  c.  The  interest¬ 
ing  cases  are  the  protect  command  and  conditionals. 
In  particular,  we  need  only  consider  conditionals  with 
guards  of  type  L  since  those  with  guards  of  type  H  are 
protected  and  therefore  fall  under  the  protect  case. 

For  conditionals  with  guards  e  of  type  L,  the  the¬ 
orem  follows  from  Lemma  5.1  which  guarantees  that 
p(e)  =  v(e),  and  therefore  evaluation  of  the  condi¬ 
tional  under  v  may  proceed  along  the  same  branch  as 
the  evaluation  under  p. 

Now  suppose  (protect  c,p)-^p!  and  p~7i/.  Then 
by  rule  atomicity, 

p  b  c  =>  // 

By  the  Termination  Agreement  theorem  (Theorem  3.1, 
[16]),  there  is  a  memory  such  that  v  b  c  =7  v[  and 
p'~7i/'.  Thus,  (protect  c,  1/)— ^->1/.  □ 

Now  we  wish  to  extend  the  Lock  Step  Execution 
lemma  to  probabilistic  states.  First,  we  need  a  notion 
of  equivalence  among  probabilistic  states.  The  basic 
idea  is  that  two  probabilistic  states  are  equivalent  un¬ 
der  7  if  they  are  the  same  after  any  high  variables  are 
projected  out.  Suppose,  for  example,  that  x  :  H  and 
y  :  L.  Then 

(O,[x:=0,y.=  0])  :  1/3,  ) 

(O,  [x  :=  l,y  :=  0])  :  1/3,  > 

(O',  [x  :=  0,  y  :=  1])  :  1/3  J 

is  equivalent  to 

{(O,  [*  :=  2,  y  :=  0])  :  2/3,  (O',  [x  :=  3,  y  :=  1])  :  1/3}, 

because  in  each  case  the  result  of  projecting  out  the 
high  variable  x  is 

{(O,  [y  :=  0])  :  2/3,  (O',  [y  :=  1])  :  1/3}. 

Notice  that  projecting  out  high  variables  can  cause  sev¬ 
eral  configurations  to  collapse  into  one,  requiring  that 
their  probabilities  be  summed.  More  formally,  we  de¬ 
fine  equivalence  as  follows:3 

■^Definition  5.3  here  differs  from  the  one  in  the  workshop  pro¬ 
ceedings.  The  one  in  the  proceedings  is  incorrect. 


Definition  5.3  Given  identifier  typing  7  and  memory 
p,  let  pn  denote  the  result  of  erasing  all  high  variables 
from  p.  And  given  probabilistic  state  s,  let  the  projec¬ 
tion  of  s  onto  the  low  variables  of  7,  denoted  s7,  be 
defined  by 

s7(0,p7)  =  ^2  s(0,v) 

v  such  that  !^~7/li 

Finally,  we  say  that  probabilistic  states  s  and  s'  are 
equivalent  under  7,  written  s~7s',  if  s7  =  s}. 

Next  we  say  that  a  probabilistic  state  s  is  well  typed 
and  protected  under  7  if  for  every  global  configuration 
( 0,p )  with  s(0,p )  >  0,  every  thread  in  O  is  well  typed 
and  protected  under  7,  and  dom(p)  =  dom(j). 

For  any  global  configuration  (O.p),  the  point  mass 
on  (O,  p),  denoted  qo.p)  >  is  the  probabilistic  state  that 
that  gives  probability  1  to  ( 0,p )  and  probability  0  to 
all  other  global  configurations. 

Now  we  can  show,  as  a  corollary  to  the  Lock  Step 
Execution  lemma,  that  ~7  is  a  congruence  with  re¬ 
spect  to  the  stochastic  matrix  T  on  well-typed,  pro¬ 
tected  point  masses. 

Lemma  5.4  (Congruence  on  Point  Masses)  If  1 

and  d  are  well-typed,  protected  point  masses  such  that 
1' ,  then  iT  r^>/y  T . 

Proof.  Since  ;.~7d,  there  must  exist  a  thread  pool  O 
and  memories  p  and  v  such  that  1  =  l'  =  l(0, v)i 

and  p.~7 is. 

If  O  =  {  },  then  by  third  (global)  rule,  we  see  that 
lT  =  l  and  i'T  =  1' .  So  i.T~7t'T. 

Now  suppose  that  O  is  nonempty.  We  show  that 
for  every  (O' ,  p')  where  ( iT)(0',p ')  >  0,  there  is  a 
v'  such  that  p,'~7 u'  and  (iT)(0' ,  p')  =  (i'T)(0',  v'). 
So  suppose  ( 0',p ')  is  a  global  configuration  and 
(iT)(0' ,  p!)  >  0.  Since  1  is  a  point  mass, 

UT)(0',p')=T((0,p),(0',p')) 

Therefore,  T((0,  p),  (O' , p'))  >  0.  By  the  definition 
of  T,  then,  T((0,  p),(0' ,  p1))  =  1/|0|  and  there  is  a 
thread  a  and  command  c  such  that  O(a)  =  c  and  either 

1.  (c,  p)—±(d , p!)  and  O'  =  0[a  :=  d],  or  else 

2.  (c.p)  >//'  and  O'  =  O  —  a. 

In  the  first  case,  we  have,  by  the  Lock  Step 
Execution  lemma,  that  there  exists  v'  such  that 
(c,  v)-^(d ,  v')  and  p.'~7 v' .  Then,  by  rule  (global), 
(O,  v)-^i/\o\(0[a  :=  d' ,  d  I .  so  by  definition  of  T, 

T((0,v),(0',v'))  =  l/\0\ 
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But  i'  is  also  a  point  mass,  therefore 

(t'T)(0' ,!/')  =  T ((O,  v) ,  (O' ,  is')) 

Thus,  (iT)(0'  ,  fj!)  =  1  / 1 0 1  =  (i'T)(0',  v').  The  second 
case  above  is  similar. 

So  for  a  given  configuration  (0,p),  if  p.~7 is  and 
( iT)(0,v )  >  0,  then  there  exists  v'  such  that  z/~7i' 
and  ( i'T)(0,v ')  =  ( iT)(0,v )  from  above.  Since 
i/'~7/i,  (t'T)(0,  v')  must  be  in  the  sum  (i'T)7(0,  p,7). 
Therefore,  (iT)7(0, p7)  <  (dT)7(0,  p,7).  Symmetri¬ 
cally,  we  have  (iT)7(0,fi7)  >  (i'T)7(0,/i7)  and  so 
((.T)7  =  or  ;.T~7/.'T.  □ 

Now  we  wish  to  generalize  the  above  Congruence 
lemma  from  point  masses  to  arbitrary  probabilistic 
states;  this  generalization  is  a  direct  consequence  of  the 
linearity  of  T.  More  precisely,  the  set  of  all  measures 
forms  a  vector  space  if  we  define 

•  (s  +  s')(0,/i)  =  s(0,/j)  +  s'(0,p),  for  measures  s 
and  s',  and 

•  (as)(0,/j)  =  a(s(0,  //)),  for  real  a  and  measure  s. 

With  respect  to  this  vector  space,  T  is  a  linear  trans¬ 
formation.  Furthermore,  ~7  respects  the  vector  space 
operations: 

Lemma  5.5  s,;~7s'  for  ali  i,  then 

a,\S\  +  a 2 s 2  +  CI3S3  +  •  •  •  ~7  a,\s'i  -t-  aoSo  +  Q3S3  +  •  •  • 

Theorem  5.6  (Probabilistic  Noninterference)  If 

s  and  s'  are  well-typed,  protected  probabilistic  states 
such  that  s  s',  then  sT 

Proof.  To  begin  with,  we  argue  that  s  and  s'  can  be 
expressed  as  (possibly  countably  infinite)  linear  combi¬ 
nations  of  (not  necessarily  distinct)  point  masses  such 
that  the  corresponding  coefficients  are  the  same,  and 
the  corresponding  point  masses  are  equivalent. 

Now,  we  know  that  we  can  express  s  and  s'  as  linear 
combinations  of  point  masses: 

s  =  a.\  i\  +  a.012  +  0313  +  •  •  • 

and 

s'  =  61  i’i  +  62  4  +  &3I3  +  •  •  • 

Assume,  for  now,  that  s7  (and  s')  is  a  point  mass. 
That  is,  ij,  ~7  Lj  ~7  ~7  ij  for  all  i  and  j. 

Note  that  the  afs  and  6,’s  both  sum  to  1;  hence 
they  both  can  be  understood  as  partitioning  the  unit 
interval  [0, 1]: 


a\ 

ci  2 

03 

bi 

62 

64 

0  1 


To  unify  the  coefficients  in  the  two  linear  combinations, 
we  must  take  the  union  of  the  two  partitions,  splitting 
up  any  terms  that  cross  partition  boundaries.  For  ex¬ 
ample,  based  on  the  picture  above  we  would  split  the 
termaiti  of  s  into  6iii  +  (a.i  —  b\)i\ .  And  we  would  split 
the  term  62^2  °f  s‘  int°  («i  —  &i)4  +  (t>2  —  (a  1  —  bi))i'2. 
Continuing  in  this  way,  we  can  unify  the  coefficients  of 
s  and  s'. 

We  can  describe  the  splitting  process  more  precisely 
as  follows.  We  simultaneously  traverse  s  and  s',  split¬ 
ting  terms  as  we  go.  Let  ai  and  bi'  be  the  next  terms 
to  be  unified.  If  a  =  b,  then  keep  both  these  terms 
unchanged.  If  a  <  b,  then  keep  term  ai  in  s,  but  split 
bi'  into  ad  and  (b  —  a)i'  in  s'.  Handle  the  case  a  >  b 
symmetrically.  If  one  or  both  of  the  sums  are  infinite, 
then  of  course  the  algorithm  gives  an  infinite  sum.  But 
each  term  of  s  and  of  s'  is  split  only  finitely  often  (oth¬ 
erwise  the  a/s  and  bf  s  would  not  have  the  same  sum) 
with  one  exception — if  s  is  a  finite  sum  and  s'  is  an 
infinite  sum,  then  the  last  term  of  s  is  split  into  an 
infinite  sum. 

So  far,  we  have  shown  how  to  unify  the  coefficients  of 
s  and  s'  in  the  case  where  s7  (and  s')  is  a  point  mass. 
In  the  general  case,  s  and  s'  must  first  be  rearranged 
into  sums  of  sums  of  equivalent  point  masses: 

S  =  (aiitu  +a.i2/l2  +  •••)  +  (a21^21  +022^22  +  •••)  +  ''' 

and 

s'  =  (bill'll  +  bi2l'i2  +•••)  +  (^21^21  +  ^22^22  +•••)  +  ■■■ 

where  ~7  ~7  ~7  i'ik  for  all  i,  j ,  and  k.  Also, 

for  each  i,  JN  a.jj  =  T.j  b  ij-  Hence  we  can  apply  the 
algorithm  above  to  unify  the  ai/s  with  the  61/s,  the 
aoj’s  with  the  b2j ’s,  and  so  forth.  Then  we  can  form  a 
single  sum  for  s  and  for  s'  by  interleaving  these  sums 
in  a  standard  way. 

The  final  result  of  all  this  effort  is  that  we  can  ex¬ 
press  s  and  s'  as 

S  =  Cil'l  +  C2  Z'O  +  C3tg  +  •  •  • 

and 

s'  =  Cil'i  +  C2I2  +  c3l'3  +  •  •  • 

where  1"  ~7  1"'  for  all  i.  Now,  since  T  is  a  linear 
transformation,  we  have 

sT  =  ci(i'lT)  +  c2(4'T)  +  c3(4'T)  +  •  •  • 
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and 

s'T  =  Cl  (i"'T)  +  c2(4"T)  +  c3(4"T)  +  •  •  • 

By  the  Congruence  on  Point  Masses  Lemma,  we  have 
i”T  ~7  i”'T,  for  all  i.  So,  by  the  lemma  above, 
sT  s'T.  IZI 

6.  Discussion 

The  need  for  a  probabilistic  view  of  security  in  non- 
deterministic  computer  systems  has  been  understood 
for  some  time  [18,  12].  Security  properties  (models) 
to  treat  probabilistic  channels  in  nondeterministic  sys¬ 
tems  have  been  formulated  by  McLean[ll]  and  Gray 
[6,  7].  It  is  important,  however,  to  recognize  that  these 
efforts  address  a  different  problem  than  what  we  con¬ 
sider  in  this  paper.  They  consider  a  computer  sys¬ 
tem  with  a  number  of  users,  classified  as  high  or  low, 
who  send  inputs  to  and  receive  outputs  from  the  sys¬ 
tem.  The  problem  is  to  prevent  high  users,  who  have 
access  to  high  information,  from  communicating  with 
low  users,  who  should  have  access  only  to  low  infor¬ 
mation.  What  makes  treating  privacy  in  this  setting 
especially  difficult  is  that  users  need  not  be  processes 
under  control  of  the  system — they  may  be  people,  who 
are  external  to  the  system  and  who  can  observe  the 
system’s  behavior  from  the  outside.  As  a  result,  a  high 
user  may  be  able  to  communicate  covertly  by  modu¬ 
lating  system  performance  to  encode  high  information 
that  a  low  user  in  turn  decodes  using  a  real-time  clock 
outside  the  system.  Furthermore,  because  the  low  user 
is  measuring  real  time,  the  modulations  can  depend  on 
low-level  system  implementation  details,  such  as  the 
paging  and  caching  behavior  of  the  underlying  hard¬ 
ware.  This  implies  that  it  is  not  enough  to  prove  pri¬ 
vacy  with  respect  to  a  high-level,  abstract  system  se¬ 
mantics  (like  the  semantics  of  Figure  1).  To  guarantee 
privacy,  it  is  necessary  for  the  system  model  to  address 
all  the  implementation  details. 

In  a  mobile-code  framework,  where  hosts  are 
trusted,  ensuring  privacy  is  more  tractable.  A  key  as¬ 
sumption  here  is  that  any  attempt  to  compromise  pri¬ 
vacy  must  arise  from  within  the  mobile  code,  which  is 
internal  to  the  system.  As  a  result,  the  system  can 
control  what  the  mobile  code  can  do  and  what  it  can 
observe.  For  example,  if  mobile-code  threads  are  not 
allowed  to  see  a  real-time  clock,  then  they  can  measure 
the  timing  of  other  threads  only  by  observing  variations 
in  thread  interleavings.  Hence,  assuming  a  correct  im¬ 
plementation  of  the  semantics  in  Figure  1,  threads  will 
not  be  able  to  detect  any  variations  in  the  running  time 
of  a  protected  command,  nor  will  they  be  able  to  de¬ 
tect  timing  variations  due  to  low-level  implementation 


details.  Consequently,  timing  attacks  are  impossible  in 
well-typed,  protected  programs  in  our  language.  For 
instance,  Kocher  describes  a  timing  attack  on  RSA  [9]. 
Basically,  he  argues  that  an  attacker  can  discover  a  pri¬ 
vate  key  x  by  observing  the  amount  of  time  required 
by  several  modular  exponentiations  yx  mod  n.  Under 
our  framework,  the  modular  exponentiation  would  be 
protected,4  which  means  that  no  useful  timing  informa¬ 
tion  about  exponentiation  would  be  available  to  other 
threads — it  would  always  appear  to  execute  in  exactly 
one  step. 

7.  Other  related  research 

Other  work  in  secure  information  flow,  in  a  par¬ 
allel  setting,  includes  that  of  Andrews  and  Reitman 
[1],  Melliar-Smith  and  Moser  [13],  Focardi  and  Gorri- 
eri  [4,  5],  and  Banatre  and  Bryce  [2].  Melliar-Smith 
and  Moser  consider  covert  channels  in  Ada.  They  de¬ 
scribe  a  data  dependency  analysis  to  find  places  where 
Ada  programs  depend  on  the  relative  timing  of  opera¬ 
tions  within  a  system.  Andrews  and  Reitman  give  an 
axiomatic  flow  logic  for  treating  information  flow  in  the 
presence  of  process  synchronization.  They  also  sketch 
how  one  might  treat  timing  channels  in  the  logic.  Ba¬ 
natre  and  Bryce  give  an  axiomatic  flow  logic  for  CSP 
processes,  also  treating  information  flow  arising  from 
synchronization.  None  of  these  efforts,  though,  gives  a 
satisfactory  account  of  the  security  properties  that  they 
guarantee.  Focardi  and  Gorrieri  identify  trace-based 
and  bisimulation-based  security  properties  for  systems 
expressed  in  an  extension  of  Milner’s  CCS,  which  they 
call  the  Security  Process  Algebra.  These  properties, 
however,  are  possibilistic  in  nature  (e.g.  a  system  is 
SNNI  [5]  if  the  set  of  traces  that  a  low  observer  can 
see  of  a  system  is  possible  regardless  of  whether  high- 
level  actions  are  enabled  or  disabled  in  the  system). 

8.  Conclusion 

So  what  is  the  significance  of  our  result?  It  depends 
on  what  can  be  observed.  With  respect  to  internal  pro¬ 
gram  behavior,  our  Probabilistic  Noninterference  result 
rules  out  all  covert  flows  from  high  variables  to  low 
variables.  But  if  external  observation  of  the  running 
program  is  allowed,  then  of  course  covert  channels  of 
the  kind  discussed  in  Section  6  remain  possible.  In  this 
case,  more  elaborate  security  properties,  like  Gray’s 
information  flow  security  [7],  may  be  needed.  Note, 

4Because  we  do  not  allow  while  commands  to  occur  within 
protected  sections,  this  requires  that  we  program  the  modular  ex¬ 
ponentiation  in  terms  of  a  primitive  recursive  looping  construct. 
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however,  that  the  mobile  code  setting  affords  us  more 
control  over  external  observations  than  would  normally 
be  possible.  When  we  execute  some  mobile  code  on  our 
machine,  we  can  limit  communication  with  the  outside 
world,  preventing  precise  observations  of  a  program’s 
execution  time,  for  example. 
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